Re: Integrated Windows Authentication

From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 30 Jan 2007 10:20:28 +0000 (UTC)

Basic Auth sends passwords in clear text, integrated sends them hashed (this is only slightly better).

In any case you need SSL to protect the credentials on the wire.

Integrated auth is really 2 protocols - NTLM and Kerberos.

Some browsers like FF support NTLM - thats probably the reason why you could log on...

-----
Dominick Baier (http://www.leastprivilege.com)

I have read somewhere that Basic Authentication should be avoided
because it sends passwords in clear text and that Integrated Windows
Authentication only works with Internet Explorer on a Windows
computer. I have a website in IIS with only Integrated Windows
Authentication enabled and not anonymous or Basic Authentication
enabled. I have installed Mozilla on the computed and could log on
with no problem. I then booted from a Knoppix Live CD on another
computer and again logged on using Firefox with no problem. I then did
a TCP/IP trace of the network traffic while I logged onto the site in
Knoppix and could not find any password. Why is this?

Follow-Ups:
- Re: Integrated Windows Authentication
  - From: mail747097

References:
- Integrated Windows Authentication
  - From: mail747097

Prev by Date: Re: Custom Membership Provider FullTrust Problem
Next by Date: Re: Custom Membership Provider FullTrust Problem
Previous by thread: Integrated Windows Authentication
Next by thread: Re: Integrated Windows Authentication
Index(es):
- Date
- Thread

Relevant Pages

Re: IIS 6 Integrated Security....risks??
... Integrated Windows Authentication does not secure your server, ... Windows already stores usernames and passwords securely. ... you need a single authentication store - something like Active ...
(microsoft.public.inetserver.iis.security)
Re: OWA and SSL Problems
... I would look in IIS/ESM and make sure that you are using the same flavor of authentication for exchange and public. ... (e.g. Basic Auth vs. Integrated Windows.) ... take a look at Internet Explorer and see how it is configured about supplying passwords in a particular zone and whether or not Integrated Windows Authentication is enabled. ...
(microsoft.public.exchange.clients)
Re: IIS 6 Integrated Security....risks??
... My first concern is to ensure that the domain server and all data on ... Integrated Windows Authentication does not secure your server, ... Windows already stores usernames and passwords securely. ... But, with Integrated Windows Autentication the user name and password, ...
(microsoft.public.inetserver.iis.security)
Forms and integrated authentication combined
... I know how to use both Forms and Integrated Windows authentication. ... both of them have a critical problem, ... the same password as their NT account, meaning passwords would be stored in ... I want to leave "Anonymous access" and "Integrated Windows ...
(microsoft.public.dotnet.framework.aspnet)
Forms and integrated authentication combined
... I know how to use both Forms and Integrated Windows authentication. ... both of them have a critical problem, ... the same password as their NT account, meaning passwords would be stored in ... I want to leave "Anonymous access" and "Integrated Windows ...
(microsoft.public.dotnet.framework.aspnet)